Ephemeral security credentials are often issued by a service provider if a user loses access to an account but otherwise has access to a channel of communication previously associated with the account. For example, if a user forgets his or her password, the user may be able to access a “password reset” function of a service provider that sends an ephemeral security credential such as an alphanumeric token to the email address previously registered with the account. When the user subsequently provides the token to the service provider, the user thereby proves that he or she has access to the email address, which may be regarded by the service provider as confirming the user's identity.